Zeus Config Decryptor

The banking trojan Zbot (aka WSNPOEM/Zeus/PRG) is still circulating “in-the-wild” in various modifications.

If you are tracking Zbot submissions at ThreatExpert web site, you might find useful the following tool that decrypts the contents of the configuration files downloaded by this trojan: DecodeZeusConfig.zip.

The decrypted config file will normally contain URLs of additional components it downloads along with the URLs of online banking services that it attacks and bogus HTML fields it attempts to inject into online banking login forms.

For example, analysis of the Zeus config file contents over the last week reveals the targeted URLs of the following online financial services: